I have kind of a complex client authentication scenario that I’m looking for advice on the proper OAuth flow to use with.
In our current state we have an Angular web client that uses Okta Auth Code with PKCE for authentication. That application is also wrapped with the Capacitor runtime library for mobile app distribution. Currently we are only using authentication for the web client as the mobile version is still in development. We are using the Okta Angular library along with the sign-in widget and I don’t anticipate any issues with it in the mobile version.
Here’s where things get a bit interesting. That client app, in addition to running web and mobile is also planned to run on a dedicated Android hardware device that we have full control over the stack on. The requirement is that the device will need to authenticate with it’s own identity independent of an actual user. A user will be able to authenticate as themselves on this device but often may not. Therefore, the device needs to authenticate as a “user” in order to be able to access secured back-end resources. The device will have it’s own physical access layer (PIN based or comparable) for restricting access to the device.
In addition to the Android/Angular native web app we will have devices running a NodeJS app on Linux that also need to authenticate in the same manner.
At first glance the Client Credentials flow would seem to meet the need, however, some of these devices would not be 100% secure with regard to exposing the underlying app and the credential storage/management.